I think in the security space, we spend too much time on the business justification and functional part of security (reducing risk, detection data breach violations, complying with HIPAA, writing secure Web 2.0 applications, securing cloud services, security information management etc…).
I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).
Perhaps it’s time to reconstruct market boundaries of the security industry.
At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11. You couldn’t frighten people anymore. Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.
Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people. This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler” is a wonderful example of how market education pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.
A good example of a product that mainstreamed extremely quickly is the Apple iPad, Now after CES we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.
Market education of CEOs to the business advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.
Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.
Let’s note that the information security industry is an industry like most other industries:
- They define their industry similarly, focusing on being the best.
- They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
- They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
- They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
- They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…
But there is one factor we are missing and that is emotion:
Does the security industry accept the functional/emotional orientation of their buyers?
I’m not sure. And that – will be the topic for the next post